[Info-vax] Variable declarations, was: Re: improving EDT

Kerry Main kemain.nospam at gmail.com
Wed Nov 23 20:23:02 EST 2016 

> -----Original Message-----
> From: Info-vax [mailto:info-vax-bounces at rbnsn.com] On Behalf
> Of Paul Sture via Info-vax
> Sent: 23-Nov-16 5:49 PM
> To: info-vax at rbnsn.com
> Cc: Paul Sture <nospam at sture.ch>
> Subject: Re: [Info-vax] Variable declarations, was: Re: improving
> EDT
> 
> On 2016-11-23, Kerry Main <kemain.nospam at gmail.com> wrote:
> >
> > Based on this conversation, this is a timely article from earlier
> > today:
> >
> > How to Protect the Encryption Keys to Your Kingdom
> > http://bit.ly/2g3fxw4
> >
> > "Tatu Ylönen, CEO and founder of SSH Communications
> Security, was
> > clearly frustrated as we talked over lunch. “Why can’t I get
> through
> > to them,” he asked, almost rhetorically. Ylönen was expressing
> a level
> > of dismay common in the security industry.
> > Getting senior management to invest in security can be a
> daunting
> > task."
> >
> > Original will wrap:
> > http://www.eweek.com/security/how-to-protect-the-
> encryption-keys-
> > to-your-kingdom.html
> 
> Heheh. I stumbled across a video by Tatu on this subject just last
> week.
> 
> A much more detailed account of the ssh key management
> problem can be found here on Tatu Ylönen's company website:
> 
> <https://www.ssh.com/iam/ssh-key-management/>
> 
> --- start quote ---
> We have worked with many companies, including several global
> top-10 banks, leading retailers, and other large Fortune 500
> companies. Based on our findings, most organizations:
> 
>     Have extremely large numbers of SSH keys - even several
> million -
>     and their use is grossly underestimated Have no provisioning
> and
>     termination processes in place for key based access Have no
> records
>     of who provisioned each key and for what purpose Allow their
> system
>     administrators to self-provision permanent key-based access -
>     without policies, processes, or oversight.
> 
> In the case of one representative customer, we went through a
> quarter of their IT environment as part of a major SSH key
> management project. They had five million daily logins using SSH,
> most of them using SSH keys for automation. We analyzed 500
> business applications, 15000 servers, and found three million SSH
> keys that granted access to live production servers. Of those, 90%
> were no longer used. Root access was granted by 10% of the
> keys.
> --- end quote ---
> 

Which then begs the question .. "is SSH and associated key management a truly supportable security solution to a large scale problem?"

Support complexity and the ability to handle it is a critical consideration when deploying any new solution. 

Given the scenario described, one could argue that this is actually a very insecure solution because it provides a false sense of security.


Regards,

Kerry Main
Kerry dot main at starkgaming dot com

More information about the Info-vax mailing list